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What is claimed is: 

5 1 . A security system for allowing a client to access a protected resource, 
comprising: 

an application interface mechanism for receiving an access request from 
a client application to access a protected resource, and communicating said 
access request to a security service; 
1 0 a security service for making a decision to permit or deny said access 

request; and, 

a resource interface for communicating permitted access requests to said 
protected resource. 

15 2. The security system of claim 1 wherein said application interface 
mechanism includes an application container for reading an application 
deployment description and registering said deployment description within the 
security service. 

20 3. The security system of claim 2 wherein said application container is an 
Enterprise Java Beans container. 

4. The security system of claim 2 wherein said application container is a 
WebApp container. 

25 

5. The security system of claim 1 wherein said security service includes a 
plurality of access decision mechanisms for defining an access policy and for 
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determining a contributory decision to permit, deny, or abstain from said access 
request. 

6. The security system of claim 5 wherein said security service further 
5 includes an access controller fortransferring said access requestto said plurality 
of access decision mechanisms, and for combining said contributory decisions 
into an overall decision by the security service to permit or deny said access 
request. 

10 7. The security system of claim 5 wherein said access decisions represent 
a business function related access policy. 

8. The security system of claim 5 wherein access decisions may be added 
to the security service to reflect changes in the access policy. 

15 

9. The security system of claim 5 wherein said access decision mechanisms 
are used to define an entitlement for said client to access said protected 
resource. 

20 1 0. The security system of claim 5 wherein a deny or abstain by any one of 
said access decision mechanisms causes the security service to deny the 
access request. 

1 1 . The security system of claim 5 wherein an abstain by any one of said 
25 access decision mechanisms does not cause the security service to deny the 
access request. 
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12. The security system of claim 5 wherein said security service further 
includes an audit mechanism for auditing the determinations of said plurality of 
access requests. 

5 13. The security system of claim 1 wherein said resource interface includes 
an interface mechanism to pass requests to or from a protected resource. 

14. The security system of claim 13 wherein said interface mechanism 
includes a Java J2EE security interface. 

10 

15. The security system of claim 13 wherein said interface mechanism 
includes a security provider interface. 

16. The security system of claim 13 wherein said interface mechanism is 
15 included as a plug-in in said resource interface. 

17. The security system of claim 1 wherein the security service further makes 
a decision on whether to permit or deny a response to said access request from 
said protected resource to said client. 

20 

1 8. A method of allowing a client to access a protected resource, comprising: 
receiving at an application interface mechanism an access request from 

a client application to access a protected resource and communicating said 
access request to a security service; 
25 making a decision at said security service to permit or deny said access 

request; and, 

communicating via a resource interface a permitted access request to 
said protected resource. 
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1 9. The method of claim 1 8 wherein said application interface mechanism 
includes an application container for reading an application deployment 
description and registering said deployment description within the security 
service. 

5 

20. The method of claim 19 wherein said application container is an 
Enterprise Java Beans container. 

21 . The method of claim 1 9 wherein said application container is a WebApp 
10 container. 

22. The method of claim 1 8 further comprising: 

defining an access policy via a plurality of access decision mechanisms 
within said security service; and, 
1 5 determining at each access decision mechanism a contributory decision 

to permit, deny, or abstain from said access request. 

23. The method of claim 22 further comprising: 

transferring via an access controller said access request to said plurality 
20 of access decision mechanisms, and combining said contributory decisions into 
an overall decision by the security service to permit or deny said access request. 

24. The method of claim 22 wherein said access decisions represent a 
business function related access policy. 

25 

25. The method of claim 22 wherein access decisions may be added to the 
security service to reflect changes in the access policy. 
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26. The method of claim 22 further comprising: 

using said access decision mechanisms to define an entitlement for said 
client to access said protected resource. 

5 27. The method of claim 22 wherein a deny or abstain by any one of said 
access decision mechanisms causes the security service to deny the access 
request. 

28. The method of claim 22 wherein an abstain by any one of said access 
1 0 decision mechanisms does not cause the security service to deny the access 

request. 

29. The method of claim 22 further comprising: 

auditing via an audit mechanism the determinations of said plurality of 
15 access requests. 

30. The method of claim 18 wherein said step of communicating via a 
resource interface includes passing requests via an interface mechanism to or 
from a protected resource. 

20 

31 . The method of claim 30 wherein said interface mechanism includes a 
Java J2EE security interface. 

32. The method of claim 30 wherein said interface mechanism includes a 
25 security provider interface. 

33. The method of claim 30 wherein said interface mechanism is included as 
a plug-in in said resource interface. 
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34. The method of claim 1 8 further comprising: 

making a decision on whether to permit or deny a response to said 
access request from said protected resource to said client. 

35. A method for determining a user entitlement to access protected 
resources in a secure environment, comprising: 

receiving an access request from a user application to access a 
protected resource 

invoking a security service with said access request; 

determining a user entitlement to access said protected resource; 

making a decision at said security service based on said user entitlement 
to permit or deny said access request; and, 

the steps of either 

(a) communicating a permitted access request to said protected 

resource, or 

(b) denying a denied access request to said protected resource. 

36. The method of claim 35 wherein said entitlement determines the type of 
access available to the user of said protected resource. 

37. The method of claim 36 wherein said type of access includes any of view, 
modify, delete, or copy, any part or all of said protected resource. 

38. The method of claim 35 wherein information about said user entitlement 
can be communicated from a first security realm to a second security realm. 

39. The method of claim 38 wherein additional information from a first security 
realm can be used to modify the user entitlement, prior to communicating said 
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information about said user entitlement from said first security realm to said 
second security realm. 
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